Update licensing-tiers guide: signed-key entitlement ceiling
This commit is contained in:
Keysat
@@ -23,12 +23,16 @@ license lifts those caps and unlocks `recurring_billing` + `zaprite_payments`.
|
||||
Treat any "marketplace build refuses to start without a license" wording in code
|
||||
comments or copy as stale.
|
||||
|
||||
## Live entitlements
|
||||
## Live entitlements, clamped to the signed key
|
||||
|
||||
Tier gates must read **LIVE** entitlements from `licenses.entitlements` (refreshed
|
||||
hourly by `refresh_self_tier_from_db` in `license_self.rs`), **not** the
|
||||
entitlements baked into the signed payload at issue time. The signed payload is a
|
||||
point-in-time snapshot; entitlements can change after issuance.
|
||||
Tier gates read **live** entitlements from `licenses.entitlements`, refreshed
|
||||
hourly by `refresh_self_tier_from_db` in `license_self.rs`, so issuer-applied
|
||||
**downgrades, suspensions, and revocations** reach a running daemon without a
|
||||
restart. The signed self-license key is the **ceiling**: the live DB row may
|
||||
*narrow* the tier but never *widen* it past what the signature grants
|
||||
(`clamp_to_signed_ceiling`). A genuine **upgrade** therefore comes from a
|
||||
re-issued key — re-run the StartOS "Activate Keysat license" action — not from
|
||||
editing the DB row.
|
||||
|
||||
## Never silently widen a tier
|
||||
|
||||
|
||||
Reference in New Issue
Block a user